I'm looking to change the default behavior of npm audit.
The default behavior is to audit all packages, including developer-only packages. This is not very useful, as I trust my development environment and care more about production level security. This is not to say I'm ignoring the development vulnerabilities entirely, as I still have been looking them over, but rather would like to put my focus on what's more important--production.
npm audit has had the --production flag for the audit command since version 6. How can I make this flag default to true when running npm audit? I'd like to specify --production (or --omit=dev) for NPM install in my package.json. Is this possible?
(Also, any discussion about the ramifications of this action or to clarify any misconceptions you think I might have would be welcome too, as I can't object to learning more.)
You can do it by setting an environment variable from within package.json. This works for both npm audit and install.
The environment variable you want to set it NODE_ENV:
omitwill default todevif you set theNODE_ENVenvironment variable to'production'
For example:
...
"scripts": {
"test": "NODE_ENV=test"
},
...